NEW YORK, NY --(Marketwired - May 19, 2017) - In the news release, "Secdo discovers WannaCry attackers exploited NSA's ETERNALBLUE weeks earlier to steal login credentials," issued earlier today by Secdo, please be advised that the headline should read "Secdo Discovers Hackers Exploited NSA's ETERNALBLUE Weeks Before WannaCry Outbreak to Steal Login Credentials." The image captions have been edited, where applicable, as well. Complete corrected text follows.

Secdo Discovers Hackers Exploited NSA's ETERNALBLUE Weeks Before WannaCry Outbreak to Steal Login Credentials

Organizations potentially exposed to future thread-level attacks that install backdoors, exfiltrate data and steal credentials

NEW YORK, NY -- May 19, 2017 -- Secdo, provider of automated incident response solutions, this week discovered evidence that sophisticated actors leveraged the National Security Agency's (NSA) ETERNALBLUE several weeks before the outbreak of WannaCry to attack organizations, installing backdoors and exfiltrating user credentials in networks around the world. The WannaCry ransomware was just one variant.

Secdo made the discovery in the wake of reports during April by multiple customers, including publicly traded companies, that reported being attacked by an undetectable ransomware on their endpoints. Having recorded every action on those endpoints and servers at the thread level allowed Secdo to play-back, analyze and identify these attacks. The company believes many organizations may continue to be vulnerable to thread-level attacks that install backdoors, exfiltrate data and steal credentials.

  • Read the full Secdo blog explaining the discovery and evidence here

Jake Williams, founder of Rendition Infosec and a SANS Institute instructor, scanned the internet for weeks looking for active infections of DoublePulsar, the backdoor implant tool used alongside ETERNALBLUE in the WannaCry ransomware attack. "Finding a machine with DoublePulsar running indicates that the same vulnerability used in the WannaCry malware was used to compromise Windows machines much earlier," said Williams. "Although the numbers have varied widely, ranging from 25,000-150,000 active infections, it is clear that attackers have been exploiting this vulnerability almost since the day it was released by Shadow Brokers."

Upon gaining entry to Windows-based machines, the attack utilized the NSA's DoublePulsar to spawn a thread within a legitimate system process, allowing it to remain undetected by most detection systems that are unable to collect activities at the thread level.

"WannaCry is merely a visible symptom and not the underlying cause," said Secdo's CTO, Gil Barak. "Multiple threat actors were exploiting ETERNALBLUE to infect endpoints weeks prior to the WannaCry outbreak. Even if your organization successfully blocked or was not attacked by WannaCry, you may still be compromised."

Barak continued, "The attackers had more than a month to breach organizations, install backdoors, steal information and cause other damage, which most organizations may still not be able to discover -- until it's too late. Installing the Microsoft patch is critical for protection from future attacks exploiting Windows SMB, but it does not remediate machines that have already been compromised."

To discover if the breach is still present, organizations should look for thread-based behavioral IOCs that indicate compromise from at least early April. In addition, organizations need to attain continuous visibility at the thread level into every endpoint in the network to hunt and respond effectively to thread-based attacks in the future.


Secdo is the first and only preemptive incident response solution, automating the IR process and slashing incident response time to seconds. Gain unmatched historical thread-level endpoint visibility, automatically investigate any alert and visualize the forensic timeline and attack chain back to the root cause. Then, rapidly and surgically respond and remediate on any endpoint or server without impacting business productivity. Follow us on Twitter at @secdocyber, and on LinkedIn.

Image Available:
Image Available:
Image Available:

Contact Information:

Media Contacts
Michelle Allard McMahon
Rainier Communications
+1 781.718.3248